Skip to content

chore(deps): bump the production-dependencies group across 1 directory with 2 updates#1

Merged
TheCryptoDonkey merged 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-93deed0f06
Apr 12, 2026
Merged

chore(deps): bump the production-dependencies group across 1 directory with 2 updates#1
TheCryptoDonkey merged 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-93deed0f06

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 12, 2026
edited
Loading

Bumps the production-dependencies group with 2 updates in the / directory: @forgesworn/shamir-words and nsec-tree.

Updates @forgesworn/shamir-words from 1.0.4 to 1.1.0

Release notes

Sourced from @​forgesworn/shamir-words's releases.

v1.1.0

Changed

  • migrate release tooling from semantic-release to forgesworn/release-action. Removes three semantic-release devDependencies and their transitive tree, replaces the classic NPM_TOKEN + NPM_CONFIG_PROVENANCE=true publish path with OIDC trusted publishing driven by publishConfig.provenance: true in package.json, and hardens the pre-publish path with gated secret scanning over dist/ + src/, exports-map verification, runtime-only npm audit, unpinned-action audit, and per-release tarball integrity recording. No runtime, API, or wire-format changes for consumers.

Why

@forgesworn/shamir-words was previously publishing via semantic-release's classic token path. The migration replaces it with pure-bash release tooling that (a) removes long-lived NPM_TOKEN from the repo secrets once a new OIDC trusted publisher is configured at npmjs.com, (b) adds hard pre-publish gates tuned for cryptography-adjacent libraries, and (c) stamps the published tarball's sha256/sha512 into the GitHub Release body so consumers can hash-compare against the registry tarball at any time.

@forgesworn/shamir-words is the third consumer of forgesworn/release-action after nsec-tree@1.5.0 and geohash-kit@1.6.0, and the first scoped-package consumer — validating the scoped-package trusted-publisher path in the wild.

Artefact integrity

file:      forgesworn-shamir-words-1.1.0.tgz
size:      6181 bytes
sha256:    15c559ad573d68bee8a315f83576ba2a6850149b18519397973d53d64c63f668
sha512-kcuvRFq092IjPt+lUxTt9AfkI616DwnC86sDynfIlRhoyZIAwVQSXq+9YiHGPDckL3+wj+u9Anv43DNpBMc+eg==

Verify against the registry tarball:

curl -sLO https://registry.npmjs.org/@forgesworn/shamir-words/-/shamir-words-1.1.0.tgz
shasum -a 256 shamir-words-1.1.0.tgz

(Verification recipe corrected post-publish to use the registry-side tarball filename. The previous recipe used the local npm pack output name, which 404s on scoped packages. Fix shipped as forgesworn/release-action@v0.3.1 for future releases. sha256 and sha512 values are unchanged — the recorded hashes were always correct and match the registry tarball byte-for-byte.)

Changelog

Sourced from @​forgesworn/shamir-words's changelog.

1.1.0 (2026-04-11)

Changed

  • migrate release tooling from semantic-release to forgesworn/release-action. Removes three semantic-release devDependencies and their transitive tree, replaces the classic NPM_TOKEN + NPM_CONFIG_PROVENANCE=true publish path with OIDC trusted publishing driven by publishConfig.provenance: true in package.json, and hardens the pre-publish path with gated secret scanning over dist/ + src/, exports-map verification, runtime-only npm audit, unpinned-action audit, and per-release tarball integrity recording. No runtime, API, or wire-format changes for consumers.

Why

@forgesworn/shamir-words was previously publishing via semantic-release's classic token path. The migration replaces it with pure-bash release tooling that (a) removes long-lived NPM_TOKEN from the repo secrets once a new OIDC trusted publisher is configured at npmjs.com, (b) adds hard pre-publish gates tuned for cryptography-adjacent libraries, and (c) stamps the published tarball's sha256/sha512 into the GitHub Release body so consumers can hash-compare against the registry tarball at any time.

@forgesworn/shamir-words is the third consumer of forgesworn/release-action after nsec-tree@1.5.0 and geohash-kit@1.6.0, and the first scoped-package consumer — validating the scoped-package trusted-publisher path in the wild.

Commits
  • 24977df chore: enable Dependabot and secret scanning
  • adfd00b chore: migrate release tooling to forgesworn/release-action
  • 92182e7 docs: add SECURITY.md with audit status and algorithm citations
  • f105e39 docs: add COOKBOOK.md with 8 worked integration patterns
  • b7c5013 docs: add ForgeSworn toolkit table with nsec-tree and dominion highlights
  • 399cd05 docs: add AI discoverability files and README badges
  • 042129d docs: expand llms-full.txt with error handling, GF(256) rationale, edge cases
  • 5837ba5 docs: update context7.json for library claim
  • 8206ff2 docs: add context7.json for AI discoverability
  • 6edc22e docs: add SECURITY.md
  • Additional commits viewable in compare view

Updates nsec-tree from 1.4.4 to 1.5.0

Release notes

Sourced from nsec-tree's releases.

v1.5.0

Changed

  • migrate release tooling from semantic-release to forgesworn/release-action. Removes hundreds of transitive devDependencies, eliminates bundled-npm Dependabot noise (handlebars, lodash, picomatch, brace-expansion), and preserves OIDC trusted publishing with provenance. No runtime or API changes for consumers.

Why

semantic-release's bundled npm CLI emits chronic Dependabot advisories that do not affect published artefacts, and its transitive dependency graph is large enough to conflict with the supply-chain posture a cryptography library should hold itself to. The replacement is a pure-bash release tool with hard pre-publish gates: tag-match against package.json, frozen-vector check, exports-map sanity, secret scan over packable artefacts, and runtime-only npm audit. Zero Node tooling inside the release action itself.

nsec-tree is the pilot consumer; the action is intended for org-wide rollout once it has shipped at least one release end to end.

Changelog

Sourced from nsec-tree's changelog.

1.5.0 (2026-04-11)

Changed

  • migrate release tooling from semantic-release to forgesworn/release-action. Removes hundreds of transitive devDependencies, eliminates bundled-npm Dependabot noise (handlebars, lodash, picomatch, brace-expansion), and preserves OIDC trusted publishing with provenance. No runtime or API changes for consumers.

Why

semantic-release's bundled npm CLI emits chronic Dependabot advisories that do not affect published artefacts, and its transitive dependency graph is large enough to conflict with the supply-chain posture a cryptography library should hold itself to. The replacement is a pure-bash release tool with hard pre-publish gates: tag-match against package.json, frozen-vector check, exports-map sanity, secret scan over packable artefacts, and runtime-only npm audit. Zero Node tooling inside the release action itself.

nsec-tree is the pilot consumer; the action is intended for org-wide rollout once it has shipped at least one release end to end.

Commits
  • 7ce580f chore: migrate release tooling to forgesworn/release-action
  • 8cd12bf chore: patch dev dependency vulnerabilities
  • d5d5f0b docs: point NIP draft references at forgesworn/nip-drafts
  • 2011f8a docs: AI discoverability audit fixes
  • See full diff in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 12, 2026
@dependabot
chore(deps): bump the production-dependencies group with 2 updates
c4c6879 
Bumps the production-dependencies group with 2 updates: [@forgesworn/shamir-words](https://github.com/forgesworn/shamir-words) and [nsec-tree](https://github.com/forgesworn/nsec-tree).


Updates `@forgesworn/shamir-words` from 1.0.4 to 1.1.0
- [Release notes](https://github.com/forgesworn/shamir-words/releases)
- [Changelog](https://github.com/forgesworn/shamir-words/blob/main/CHANGELOG.md)
- [Commits](forgesworn/shamir-words@v1.0.4...v1.1.0)

Updates `nsec-tree` from 1.4.4 to 1.5.0
- [Release notes](https://github.com/forgesworn/nsec-tree/releases)
- [Changelog](https://github.com/forgesworn/nsec-tree/blob/main/CHANGELOG.md)
- [Commits](forgesworn/nsec-tree@v1.4.4...v1.5.0)

---
updated-dependencies:
- dependency-name: "@forgesworn/shamir-words"
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: nsec-tree
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot changed the title chore(deps): bump the production-dependencies group with 2 updates chore(deps): bump the production-dependencies group across 1 directory with 2 updates Apr 12, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/production-dependencies-93deed0f06 branch from fe474eb to c4c6879 Compare April 12, 2026 20:10
@TheCryptoDonkey TheCryptoDonkey merged commit 87ee8af into main Apr 12, 2026
1 check passed
@TheCryptoDonkey TheCryptoDonkey deleted the dependabot/npm_and_yarn/production-dependencies-93deed0f06 branch April 12, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheCryptoDonkey